APT Log Analysis - Tracking Attack Tools by Audit Policy and Sysmon - Shusei Tomonaga JPCERT Coordination Center
|
|
- Augustus Ward
- 6 years ago
- Views:
Transcription
1
2 APT Log Analysis - Tracking Attack Tools by Audit Policy and Sysmon - Shusei Tomonaga JPCERT Coordination Center
3 Self-introduction Shusei Tomonaga Analysis Center at JPCERT/CC Malware analysis, Forensics investigation. Written up posts on malware analysis and technical findings on this blog and Github
4 Challenge of Incident Response Many hosts need to be investigated for APT Incident Response. Logs required for investigation are not always recorded. Difficult to detect Lateral Movement. 3
5 Approach If you know what logs are recorded with the lateral movement tools, IR will be easier. For lateral movement, a limited set of tools are used in many different incidents. There are some common patterns in the lateral movement methods. 4
6 This Presentation Topics Overview of APT Incident and Lateral Movement Tools Used by Attackers for Lateral Movement How to Track Lateral Movement 5
7 1 2 3 Overview of APT Incident and Lateral Movement Tools Used by Attackers for Lateral Movement How to Track Lateral Movement 6
8 Overview of APT Incident and Lateral Movement 1. Infection 2. Initial investigation 5. Sending stolen data Target Network 3. Internal Reconnaissance 4. Spread of infection AD/ File Server 7
9 1 2 3 Overview of APT Incident and Lateral Movement Tools Used by Attackers for Lateral Movement How to Track Lateral Movement 8
10 Tools Used by Attackers at Lateral Movement Attackers use not only attack tools but also Windows commands and legitimate tools. Why attackers use Windows commands and legitimate tools? They are not detected by antivirus software. 9
11 Research of Tools Used by Attackers Research Methods Investigating C&C servers in three operations. APT17 (named by FireEye) Dragon OK (named by Palo Alto) Blue Termite (named by Kaspersky) 10
12 Lateral Movement: Initial Investigation Initial investigation Collect information of the infected host The most used command is tasklist. If the attacker is not interested in the infected host, they will escape soon. 11
13 Windows Command Used by Initial Investigation Rank Command Count 1 tasklist ver 95 3 ipconfig 76 4 systeminfo 40 5 net time 31 6 netstat 27 7 whoami 22 8 net start 16 9 qprocess query 14 12
14 Lateral Movement: Internal Reconnaissance Internal Reconnaissance Look for information saved in the machine and remote hosts within the network The most used command is dir. The attacker investigates confidential data stored in the infected host. For searching the network, net is used. 13
15 Windows Command Used by Internal Reconnaissance Rank Command Count 1 dir net view ping net use type net user 95 7 net localgroup 39 8 net group 20 9 net config net share 11 14
16 NET Command net view Obtain a list of connectable domain resources net user Manage local/domain accounts net localgroup Obtain a list of users belonging to local groups net group Obtain a list of users belonging to certain domain groups net use Access to resources 15
17 Example: dir command Searching Network Drive > dir FILESV01 SECRET > %TEMP% a.txt FILESV SECRET Directory 2014/07/11 09:16 [DIR] Management of Partner Companies 2014/09/04 11:49 [DIR] Management of Intellectual Property Searching Document Files > dir c: users hoge *.doc* /s /o-d c: users hoge AppData Local Temp Directory /s : Displayed recursively /o-d : Sorted by date 2014/07/29 10:19 28, doc 1 File 28,672 bytes c: users hoge Important Information Directory 2015/08/29 10:03 1,214 Design Document.doc 16
18 Lateral Movement: Spread of Infection Spread of infection Infect the machine with other malware or try to access other hosts The most used command is at. at command is not supported on Windows 10, Windows 8.1 etc. If "at" command can not be used, schtasks is used. Uses password and hash dump tools. 17
19 Windows Command Used by Spread of Infection Rank Command Count 1 at reg 31 3 schtasks 29 4 wmic 24 5 wusa 7 6 netsh advfirewall 4 7 sc 4 8 rundll
20 Remote Command Execute Used Windows Command at command > at [IP Address] 12:00 cmd /c "C: windows temp mal.exe" schtasks command > schtasks /create /tn [Task Name] /tr C: 1.bat /sc onstart /ru System /s [IP Address] 19
21 Remote Command Execute Used Windows Command wmic command > wmic /node:[ip Address] /user: [User Name] /password: [PASSWORD] process call create cmd /c c: Windows System32 net.exe user 20
22 1 2 3 Overview of APT Incident and Lateral Movement Tools Used by Attackers for Lateral Movement How to Track Lateral Movement 21
23 How to Track Lateral Movement The Event logs that can be used for incident response are not recorded with default Windows settings. How to get evidence of executed tools? We propose a detection method using Audit Policy and Sysmon. 22
24 Lateral Movement Tracking by Audit Policy and Sysmon Research Methods Testing 44 attack tools on the host that installed Sysmon and enabled Audit Policy. OS Windows 7, 8.1, 2008 and 2012 Sysmon Version 4 Test tools 17: Windows Commands 27: Attack Tools 23
25 Test Tools List Windows Commands wmic PowerShell at winrm winrs BITS RDP ntdsutil vssadmin net user net use net share icacls wevtutil csvde ldifde dsquery Legitimate Tools PsExec sdelete WebBrowser PassView Remote Desktop PassView Mail PassView Password Dump Tools PWDump7 PWDumpX WCE Mimikatz lslsass Find- GPOPasswords.ps1 gsecdump Quarks PwDump 24
26 Test Tools List Exploits MS MS MS SDB UAC Bypass Other Tools wmiexec.vbs BeginX Htran Fake wpad timestomp 25
27 Results Overview Detected 37 out of 44 attack tools using Audit Policy and Sysmon. Settings Detect Not Detect Default Settings 6 38 Sysmon / Audit Policy
28 Detected with Default Windows Settings The tools installed by default in Windows leave execution traces of evidence. Detected tools example (Default installed tools only) RDP at WinRM, WinRS wevtutil BITS 27
29 Detected with Sysmon and Audit Policy If Sysmon and Audit Policy are enabled, many attack tools can be detected. Detected tools example WCE Mimikatz net command csvde Privilege Escalation Exploit etc. 28
30 Sysmon and Audit Policy record many logs Source Host (Default Setting) Destination Host (Default Setting) Process Execution, Connection Request, and File Access are not recorded. 29
31 Sysmon and Audit Policy record many logs Source Host (+ Sysmon) Destination Host (+ Sysmon) Process Execution (Sysmon: 1) Connection Request (Sysmon: 3) Inbound (Sysmon: 3) Process Execution (Sysmon: 1) Inbound (Sysmon: 3) Outbound (Sysmon: 3) Process Terminate (Sysmon: 9) Process Terminate (Sysmon: 9) 30
32 Sysmon and Audit Policy recode many logs Source Host (+ Audit Policy) Destination Host (+ Audit Policy) Process Execution (Sysmon: 1 Audit: 4688) Connection Request (Sysmon: 3 Audit: 5156) Inbound (Sysmon: 3 Audit: 5156) Logon (Audit: 4624) Send Command (Audit: 5156) Inbound (Audit: 5156) Process Execution (Sysmon: 1 Audit: 4688) Object Access (Audit: ) Inbound (Sysmon: 3 Audit: 5156) Outbound (Sysmon: 3 Audit: 5156) Process Terminate (Sysmon: 9 Audit: 4689) Process Terminate (Sysmon: 9 Audit: 4689) 31
33 Do we need Sysmon? Answer: YES Audit Policy can record more logs than Sysmon. However, Audit Policy can not record command line options. Sysmon can record all command line. 32
34 Example of Detecting with Audit Policy [1] When the attack tool is executed, the fact that a temporary file may be created is recorded. Example: WCE wceaux.dll 33
35 Example of Detecting with Audit Policy [2] When the attack tool is executed, the fact that a temporary file may be created is recorded. Example: csvde csv[number].tmp 34
36 Event ID for Audit Policy ID Overview ID Overview 4624 Account logon 4689 Process termination 4634 Account logoff 4720 Account creation 4648 A specified logon attempt by a particular account 4726 Account deletion 4656 A handle request for reading or writing an object 4728 Addition of a member to a group 4658 Ending the use of and releasing of a handle 4729 Removal of a member from a group 4690 Duplication of an existing handle for use in other processes 4768/ 4769 An authentication request for an account 4660 Deleting an object 4946 Addition of a Windows Firewall rule 4663 Access made to an object 5140 Access to network share 4661 A handle request to SAM 5142 Creation of a new network share 4672 Assignment of special privileges to a particular logon instance 5144 Deletion of a network share 4673 Execution of a process requiring particular privileges 5145 Confirmation of whether a file share point can be used 4688 Startup of a process 5154 Port listening by an application or service 35
37 Example of Detecting with Sysmon All Windows commands can be recorded by Sysmon. Example: net use Command details cmd /c = Remote shell Malicious process name that executed the command. 36
38 Event ID for Sysmon ID Overview Supported Version 1 Process creation 2 A process changed a file creation time 3 Network connection 4 Sysmon service state changed 5 Process terminated 6 Driver loaded 7 Image loaded 8 CreateRemoteThread 9 RawAccessRead 10 ProcessAccess 11 FileCreate RegistryEvent (Object create and delete) RegistryEvent (Value Set) RegistryEvent (Key and Value Rename) FileCreateStreamHash
39 Tools not Detected with Sysmon and Audit Policy Example PWDump7 gsecdump lslsass Mail PassView WebBrowserPassView Remote Desktop PassView dsquery 38
40 More Details About This Research Released a research report. Detecting Lateral Movement through Tracking Event Logs How to download. _research.html 39
41 More Details About This Research Describes the 44 tools in this report. 40
42 Notes The amount of logs increases when the audit policy is enabled, and log rotation accelerates. When enabling the audit policy, consider changing the maximum size of event logs to be stored. The maximum size of event logs can be changed with Event Viewer or the wevtutil command. 41
43 Future Work This report will be updated. Support Windows 10 Update Sysmon version 5 Add forensic architecture USN Journal, AppCompatCache, UserAssist etc. Add network architecture Proxy, Firewall etc. Add other attack tools 42
44 Conclusion Typically, limited set of tools and commands are used for Lateral Movement. Many attack tools can be detected with audit policy and Sysmon. Our report would be helpful if you are investigating APT incidents. 43
45 Thank you! Please give us feedback. 44
Detecting Lateral Movement through Tracking Event Logs (Version 2)
Detecting Lateral Movement through Tracking Event Logs (Version 2) JPCERT/CC December 05, 2017 Table of Contents Detecting Lateral Movement through Tracking Event Logs (Version 2) 1. Introduction... 2
More informationHunting Attacker Activities - Methods for Discovering and Detecting Lateral Movements -
Hunting Attacker Activities - Methods for Discovering and Detecting Lateral Movements - Shusei Tomonaga (JPCERT/CC) Keisuke Muda (Internet Initiative Japan Inc.) Self-introduction Shusei Tomonaga Analysis
More informationPursue the Attackers - Identify and Investigate Lateral Movement Based on Behavior Pattern -
Pursue the Attackers - Identify and Investigate Lateral Movement Based on Behavior Pattern - Shusei Tomonaga (JPCERT/CC) Keisuke Muda (Internet Initiative Japan Inc.) Self-introduction Shusei Tomonaga
More informationFIRST Regional Symposium Asia-Pacific Sysmon Log Analysis Tool -SysmonSearch- 2018/10/25 Wataru Takahashi (JPCERT/CC)
FIRST Regional Symposium Asia-Pacific Sysmon Log Analysis Tool -SysmonSearch- 2018/10/25 Wataru Takahashi (JPCERT/CC) Self-introduction Wataru Takahashi Incident Response Group at JPCERT/CC Malware analysis,
More informationHunting for Credentials Dumping in Windows Environment. Teymur Kheirhabarov
Hunting for Credentials Dumping in Windows Environment Teymur Kheirhabarov Senior SOC Analyst @Kaspersky Lab SibSAU (Krasnoyarsk) graduate Ex- System admin Ex- Infosec admin Ex- Infosec dept. head Twitter
More informationDetecting Lateral Movement in APTs ~Analysis Approach on Windows Event Logs~ June 17, 2016 Shingo ABE ICS security Response Group JPCERT/CC
Detecting Lateral Movement in APTs ~Analysis Approach on Windows Event Logs~ June 17, 2016 Shingo ABE ICS security Response Group JPCERT/CC Agenda Introduction to JPCERT/CC About system-wide intrusions
More informationBojan Ždrnja, CISSP, GCIA, GCIH, GWAPT INFIGO IS
Laterally pwning Windows Bojan Ždrnja, CISSP, GCIA, GCIH, GWAPT Bojan.Zdrnja@infigo.hr INFIGO IS http://www.infigo.hr Who am I? Senior information security consultant at INFIGO IS Penetration testing (all
More informationExtending Your Incident Response Capabilities with Sysmon
Extending Your Incident Response Capabilities with Sysmon Improving Your Threat Hunting Abilities Peter Morin Over 20yrs in the field Halifax, Nova Scotia KPMG Cyber Security practice IR, threat hunting,
More informationTanium Endpoint Detection and Response. (ISC)² East Bay Chapter Training Day July 13, 2018
Tanium Endpoint Detection and Response (ISC)² East Bay Chapter Training Day July 13, 2018 $> WhoamI 11 Years of Security Experience Multiple Verticals (Technology, Industrial, Healthcare, Biotech) 9 Years
More informationWindows 10 Security & Audit
Windows 10 Security & Audit John Tannahill, CA, CISM, CGEIT, CRISC, CSX-P jtannahi@rogers.com Windows 10 Editions Home Pro Enterprise Education Mobile IoT Editions 1 Windows 10 Builds Windows 10 (initial
More informationDirectDefense. Catch Me If You Can. PenTester/Hacker vs. BlueTeam Defender
DirectDefense Catch Me If You Can PenTester/Hacker vs. BlueTeam Defender Who are we? Jim Broome DirectDefense and Red Teamer Michael Gough InfoSec & Malware researcher and Blue Teamer Agenda Quick Introductions
More informationTactics, Techniques, and Procedures
Dec 8, 2017 This report maps Cobalt Strike's actions to MITRE's Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) matrix. Command-Line Interface Command-line interfaces provide a way of interacting
More informationPost-Exploitation Hunting with ATT&CK & Elastic
Post-Exploitation Hunting with ATT&CK & Elastic John Hubbard @SecHubb SOC Lead at GlaxoSmithKline SANS Author & Instructor SEC455: SIEM Design & Implementation SEC511: Continuous Monitoring & Security
More informationMike Pilkington. SANS Forensics and IR Summit June, 2011
Mike Pilkington SANS Forensics and IR Summit June, 2011 Since graduating from UT- for a large oil and gas services company Systems Admin, Network Admin, and Security Analyst My current role focuses on
More informationIncident Scale
SESSION ID: SOP-T07 Incident Response @ Scale Salah Altokhais Incident Response Consultant National Cyber Security Center (NCSC),KSA @salah.altokhais Khalid Alsuwaiyel Incident Response Specialist National
More informationWindows Hash Reinjection Using GSECDUMP and MSVCTL By Deron Grzetich
Windows Hash Reinjection Using GSECDUMP and MSVCTL By Deron Grzetich Intro The objective of this exercise is to prove that gsecdump and msvctl actually work as prescribed. These tools can be used to reinject
More informationTracking mimikatz by Sysmon and Elasticsearch
Tracking mimikatz by Sysmon and Elasticsearch Aug 26, 2017 Interfaculty Initiative in Information Studies Graduate School of Interdisciplinary Information Studies, The University of Tokyo Wataru Matsuda,
More informationDeploy and Configure Microsoft LAPS. Step by step guide and useful tips
Deploy and Configure Microsoft LAPS Step by step guide and useful tips 2 Table of Contents Challenges today... 3 What is LAPS... 4 Emphasis and Tips... 5 How LAPS Work... 6 Components... 6 Prepare, Deploy
More informationChgport The chgport command can be used to display or change COM port mappings for DOS compatibility.. Chgusr The chgusr command is used to change the
Windows 7 Command Prompt Commands Append The append command can be used by programs to open files in another directory as if they were located in the current directory. Arp The arp command is used to display
More informationEvent Log 101. What is Event Log? Windows version of syslog.
Event Log Analysis Event Log 101 What is Event Log? Windows version of syslog. Where are these artifacts located in? %SystemRoot%\System32\winevt\Logs %SystemRoot% is C:\Windows typically. 2 Event Log
More informationPass-the-Hash Attacks
Pass-the-Hash Attacks Mgr. Michael Grafnetter www.dsinternals.com Agenda PtH Attack Anatomy Mitigation Proactive Reactive Windows 10 + Windows Server 2016 Microsoft Advanced Threat Analytics PtH Attack
More informationAll Microsoft Dos Commands
1 All Microsoft Dos Commands (Microsoft Disk Operating System) 2 All Microsoft Dos Commands: ADDUSERS ARP ASSOC ASSOCIAT AT ATTRIB BOOTCFG BROWSTAT CACLS CALL CD CHANGE CHKDSK CHKNTFS CHOICE CIPHER CleanMgr
More informationLearning Normal with the Kansa PowerShell IR Framework
Learning Normal with the Kansa PowerShell IR Framework Jason Simsay April 2017 GIAC GSEC GCIH GCIA GCUX GCPM SANS Technology Institute - Candidate for Master of Science Degree 1 1 Objective Prepare now
More informationSmart-X Software Solutions Core Configurator User guide
Smart-X Software Solutions Core Configurator User guide Table of content: WELCOME 4 FEATURES AND CAPABILITIES 5 MORE SYSTEM MANAGEMENT TOOLS 6 REQUIREMENTS 8 LICENSING AND INSTALLATION 8 EVALUATION VERSION
More informationADVERSARIAL APPROACH TO IMPROVE DETECTION CAPABILITIES
ADVERSARIAL APPROACH TO IMPROVE DETECTION CAPABILITIES Massimo Bozza Ethical Hacker Senior Security Engineer @maxbozza Pietro Romano Principal Security Engineer @tribal_sec AGENDA Adversarial approach
More informationActive Directory Attacks and Detection
Active Directory Attacks and Detection #Whoami Working as an Information Security Executive Blog : www.akijosberryblog.wordpress.com You can follow me on Twitter: @AkiJos This talk is Based on Tim Madin
More informationChapter 5 Live Data Collection Windows Systems
Chapter 5 Live Data Collection Windows Systems Ed Crowley Spring 10 1 Topics Live Investigation Goals Creating a Response Toolkit Common Tools and Toolkits Preparing the Toolkit Storing Information Obtained
More informationJoe Stocker, CISSP, MCITP, VTSP Patriot Consulting
Joe Stocker, CISSP, MCITP, VTSP Patriot Consulting Microsoft Cloud Evangelist at Patriot Consulting Principal Systems Architect with 17 Years of experience Technical certifications: MCSE, MCITP Office
More informationWHITEPAPER ATTIVO NETWORKS THREATDEFEND PLATFORM AND THE MITRE ATT&CK MATRIX
WHITEPAPER ATTIVO NETWORKS THREATDEFEND PLATFORM AND THE MITRE ATT&CK MATRIX 1 INTRODUCTION The MITRE Corporation Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK ) Matrix provides a model
More informationPremediation. The Art of Proactive Remediation. Matthew McWhirt, Senior Manager Manfred Erjak, Principal Consultant OCTOBER 1 4, 2018 WASHINGTON, D.C.
Premediation The Art of Proactive Remediation Matthew McWhirt, Senior Manager Manfred Erjak, Principal Consultant OCTOBER 1 4, 2018 WASHINGTON, D.C. Overview Case Study Remediation Overview Premediation
More informationCyber Common Technical Core (CCTC) Advance Sheet Windows Operating Systems
Cyber Common Technical Core (CCTC) Advance Sheet Windows Operating Systems Section 1: Command Line Tools Skill 1: Employ commands using command line interface 1.1 Use command line commands to gain situational
More informationMalware Behavior. Chapter 11
Malware Behavior Chapter 11 Common Malware Functionalities Downloaders Backdoors Credential stealers Persistence mechanisms Privilege escalation Covering tracks (rootkits) Downloaders and Launchers Retrieve
More informationTanium Trace User Guide. Version 2.2.0
Tanium Trace User Guide Version 2.2.0 November 07, 2017 The information in this document is subject to change without notice. Further, the information provided in this document is provided as is and is
More informationLive Adversary Simulation: Red and Blue Team Tactics
SESSION ID: HTA-T06 Live Adversary Simulation: Red and Blue Team Tactics James Lyne Head of R&D SANS Institute @JamesLyne Stephen Sims Security Researcher & Fellow SANS Institute @Steph3nSims Agenda 2
More informationHow Breaches Really Happen
How Breaches Really Happen www.10dsecurity.com About Dedicated Information Security Firm Clients Nationwide, primarily in financial industry Services Penetration Testing Social Engineering Vulnerability
More informationAttackers Process. Compromise the Root of the Domain Network: Active Directory
Attackers Process Compromise the Root of the Domain Network: Active Directory BACKDOORS STEAL CREDENTIALS MOVE LATERALLY MAINTAIN PRESENCE PREVENTION SOLUTIONS INITIAL RECON INITIAL COMPROMISE ESTABLISH
More informationPOWERSHELL: FROM ATTACKERS' TO DEFENDERS' PERSPECTIVE
POWERSHELL: FROM ATTACKERS' TO DEFENDERS' PERSPECTIVE Elliott Neo and Crystal Tan AGENDA Trends and Attacks Logs PowerShell Logs PowerShell Versions Sysmon Logs Mitigations Restricted RunSpace Constrained
More informationDetecting Computer Intrusions: Are You Pwned?
Detecting Computer Intrusions: Are You Pwned? Steve Anson Former computer agent for the U.S. Department of Defense and Federal Bureau of Investigation (FBI) Former computer crime investigation instructor
More informationWINDOWS ADVANCED LOGGING CHEAT SHEET - Win 7 thru Win 2016
This Windows Advanced Logging Cheat Sheet is intended to help you expand the logging from the Windows Logging Cheat Sheet to capture more details, and thus noisier and higher impact to log management licensing.
More informationColin Gibbens Director, Product Management
SOAR = Human Intelligence and Creativity at Speed of Machine Abhishek Narula EVP, Head of Product and Engineering Colin Gibbens Director, Product Management 1 2 What is Security Orchestration Why do I
More informationRemediating Targeted-threat Intrusions
Remediating Targeted-threat Intrusions Jim Aldridge Introduction Successfully remediating a targeted intrusion by a persistent adversary requires a different approach from that applied to non-targeted
More informationI Thought I saw a - 4><0.Haxx0R. A Threat Hunting we Will Go!
I Thought I saw a - 4>
More informationThe Ultimate Windows 10 Hardening Guide: What to Do to Make Hackers Pick Someone Else
The Ultimate Windows 10 Hardening Guide: What to Do to Make Hackers Pick Someone Else Paula Januszkiewicz CQURE: CEO, Penetration Tester CQURE Offices: New York, Dubai, Warsaw MVP: Enterprise Security,
More information10 Ways Credit Unions Get PWNED
10 Ways Credit Unions Get PWNED NASCUS 2017 Investment advisory services are offered through CliftonLarsonAllen Wealth Advisors, LLC, an SEC-registered investment advisor. Intro I am going to share with
More informationUser Guide for COFEE v1.1.2
User Guide for COFEE v1.1.2 Release Date: September 2009 Copyright Reserved Table of Contents Introduction... 1 What is COFEE?... 2 Digital Forensics Attributes and Principles... 2 Volatile Information
More information(Re)Investigating PowerShell Attacks
(Re)Investigating PowerShell Attacks BruCON 0x0A Retro Talks Matt Hastings, Ryan Kazanciyan 2 Investigating PowerShell Attacks, 2014 Desired State: Compromised, 2015 3 Revisiting Investigating PowerShell
More informationCNIT 121: Computer Forensics. 9 Network Evidence
CNIT 121: Computer Forensics 9 Network Evidence The Case for Network Monitoring Types of Network Monitoring Types of Network Monitoring Event-based alerts Snort, Suricata, SourceFire, RSA NetWitness Require
More information#BLACKALPS17. Harman Singh DEFENDZA LTD. 1
#BLACKALPS17 Harman Singh www.defendza.com @defendzaltd 1 Managing consultant at Defendza Pen Tester/Security Consulting Tweets are welcome @digitalamli #BlackAlps17 Hacktivity, BlackAlps, Bsides, BlackHat
More informationCyber security tips and self-assessment for business
Cyber security tips and self-assessment for business Last year one in five New Zealand SMEs experienced a cyber-attack, so it s essential to be prepared. Our friends at Deloitte have put together this
More informationPass-the-Hash Attacks. Michael Grafnetter
Pass-the-Hash Attacks Michael Grafnetter www.dsinternals.com Agenda PtH Attack Anatomy Mitigation Proactive Reactive Windows 10 + Windows Server 2016 PtH History and Future 1988 Microsoft releases Lan
More informationChapter 9. Firewalls
Chapter 9 Firewalls The Need For Firewalls Internet connectivity is essential Effective means of protecting LANs Inserted between the premises network and the Internet to establish a controlled link however
More informationNot Your Daddy s Winexe. THOTCON 0x9 May 4, 2018
Not Your Daddy s Winexe 13 15 ways to legitimately access a system THOTCON 0x9 May 4, 2018 ELEVATED SECURITY FOR MODERN ADVERSARIES. WHO THE HELL ARE YOU? John Mocuta -- @atucom Principal Security Advisor
More informationKASPERSKY SECURITY CENTER 10 & KASPERSKY SECURITY FOR SERVER
KASPERSKY SECURITY CENTER 10 & KASPERSKY SECURITY FOR SERVER Testing of Installation base on the AWS server Abstract This document create to present the result of testing installation of KSC 10 and the
More informationA YEAR OF PURPLE. By Ryan Shepherd
A YEAR OF PURPLE By Ryan Shepherd WHOAMI DETECTION and RESPONSE Investigator for Countercept Threat Hunter PURPLE Team Consultant Offensive Security Certified Professional (OSCP) Crest Registered Intrusion
More informationCyber Security & Ethical Hacking Training. Introduction to Cyber Security Introduction to Cyber Security. Linux Operating System and Networking: LINUX
Cyber Security & Ethical Hacking Training. Introduction to Cyber Security Introduction to Cyber Security HTML PHP Database Linux Operating System and Networking: LINUX NETWORKING Information Gathering:
More informationThe flow of transferring the machining programs of the server PC and starting an automatic operation is as below.
CONTENTS 1 OUTLINE... 1 2 OVERALL FLOW... 1 3 NETWORK CONNECTION... 1 4 SETTING EXAMPLE... 1 5 SET SERVER PC... 2 5.1 Windows 7... 2 5.1.1 Install IIS... 2 5.1.2 Set IIS... 4 5.1.3 Set firewall... 9 5.1.4
More informationAutomated Threat Management - in Real Time. Vectra Networks
Automated Threat Management - in Real Time Security investment has traditionally been in two areas Prevention Phase Active Phase Clean-up Phase Initial Infection Key assets found in the wild $$$$ $$$ $$
More informationI Was APT d. What Did They Steal?
I Was APT d. What Did They Steal? Marcus H. Sachs, P.E. Verizon October 19, 2011 All Is Not Lost Just because you found the APT in your system (or were told by a third party that you ve been 0wn3d) doesn
More informationTanium Incident Response User Guide
Tanium Incident Response User Guide Version 4.4.3 September 06, 2018 The information in this document is subject to change without notice. Further, the information provided in this document is provided
More informationBecoming the Adversary
SESSION ID: CIN-R06 Becoming the Adversary Tyrone Erasmus Managing Security Consultant MWR InfoSecurity @metall0id /usr/bin/whoami Most public research == Android Something different today 2 Overview Introduction
More informationDetecting Computer Intrusions: Are You Pwned? Steve Anson HITB 8 Oct 2009
Detecting Computer Intrusions: Are You Pwned? Steve Anson HITB 8 Oct 2009 Steve Anson Former computer agent for the U.S. Department of Defense and Federal Bureau of Investigation (FBI) Cybercrime Task
More informationAUTHENTICATION. Do You Know Who You're Dealing With? How Authentication Affects Prevention, Detection, and Response
AUTHENTICATION Do You Know Who You're Dealing With? How Authentication Affects Prevention, Detection, and Response Who we are Eric Scales Mandiant Director IR, Red Team, Strategic Services Scott Koller
More informationCOMPUTER NETWORK SECURITY
COMPUTER NETWORK SECURITY Prof. Dr. Hasan Hüseyin BALIK (9 th Week) 9. Firewalls and Intrusion Prevention Systems 9.Outline The Need for Firewalls Firewall Characterictics and Access Policy Type of Firewalls
More informationDefense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation
Defense-in-Depth Against Malicious Software Speaker name Title Group Microsoft Corporation Agenda Understanding the Characteristics of Malicious Software Malware Defense-in-Depth Malware Defense for Client
More informationPenetration from application down to OS
April 8, 2009 Penetration from application down to OS Getting OS access using Oracle Database unprivileged user Digitаl Security Research Group (DSecRG) Alexandr Polyakov research@dsecrg.com www.dsecrg.com
More informationProtecting Against Modern Attacks. Protection Against Modern Attack Vectors
Protecting Against Modern Attacks Protection Against Modern Attack Vectors CYBER SECURITY IS A CEO ISSUE. - M C K I N S E Y $4.0M 81% >300K 87% is the average cost of a data breach per incident. of breaches
More informationWINDOWS LOGGING CHEAT SHEET - Win 7 thru Win 2012
This Windows Logging Cheat Sheet is intended to help you get started setting up basic and necessary Windows Audit Policy and Logging. By no means is this list extensive; but it does include some very common
More informationAssessing Your Incident Response Capabilities Do You Have What it Takes?
Assessing Your Incident Response Capabilities Do You Have What it Takes? March 31, 2017 Presenters Tim L. Bryan, CPA/CFF/CITP, CISA, EnCE Director, Advisory Services Forensic Technology & Investigation
More informationWindows Live Acquisition/Triage Using FOSS and AChoir
Windows Live Acquisition/Triage Using FOSS and AChoir Who Am I D0n Quix0te @OMENScan or OMENScan@Gmail.com Creator of OMENS, OMENSApp, AChoir Global Incident Response @ Live Nation 16 Years @ NASA 7 Years
More informationACS-3921/ Computer Security And Privacy. Chapter 9 Firewalls and Intrusion Prevention Systems
ACS-3921/4921-001 Computer Security And Privacy Chapter 9 Firewalls and Intrusion Prevention Systems ACS-3921/4921-001 Slides Used In The Course A note on the use of these slides: These slides has been
More informationA Process is No One: Hunting for Token Manipulation. Jared Atkinson & Robby Winchester
Jared Atkinson Robert Winchester A Process is No One: Hunting for Token Manipulation Jared Atkinson & Robby Winchester @jaredcatkinson Adversary Detection Technical Lead @ SpecterOps Developer: PowerForensics
More informationVolatile Data Acquisition & Analysis
Volatile Data Acquisition & Analysis Villanova University Department of Computing Sciences D. Justin Price Spring 2014 VOLATILE INFORMATION Memory that requires power to maintain data. Exists as Physical
More informationConfigure advanced audit policies
7 LESSON Configuring Advanced Audit Policies 70-411 EXAM OBJECTIVE Objective 2.4 Configure advanced audit policies. This objective may include but is not limited to: implement auditing using Group Policy
More informationModern Realities of Securing Active Directory & the Need for AI
Modern Realities of Securing Active Directory & the Need for AI Our Mission: Hacking Anything to Secure Everything 7 Feb 2019 Presenters: Dustin Heywood (EvilMog), Senior Managing Consultant, X-Force Red
More informationObjectives. Classes of threats to networks. Network Security. Common types of network attack. Mitigation techniques to protect against threats
ITE I Chapter 6 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 1 Objectives Enterprise Network Security Describe the general methods used to mitigate security threats to Enterprise networks
More informationBuilt-in functionality of CYBERQUEST
CYBERQUEST Knows everything Built-in functionality of CYBERQUEST Summary Demonstration of CyberQuest functionality E-mail: office@nextgensoftware.solutions Content Intro... 3 Built-in functionality of CYBERQUEST...
More informationMcAfee Labs Threat Advisory Ransom-Petya Ransom-BadRabbit
McAfee Labs Threat Advisory Ransom-Petya Ransom-BadRabbit October 25, 2017 McAfee Labs periodically publishes Threat Advisories to provide customers with a detailed analysis of prevalent malware. This
More informationPractical Network Defense Labs
Practical Network Defense Labs ABOUT This document showcases my practical hands-on engagements in the elearnsecurity HERA labs environment for the Network Defense Professional certification course. I utilized
More informationComputer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition. Chapter 3 Investigating Web Attacks
Computer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition Chapter 3 Investigating Web Attacks Objectives After completing this chapter, you should be able to: Recognize the indications
More informationForensic Network Analysis in the Time of APTs
SharkFest 16 Forensic Network Analysis in the Time of APTs June 16th 2016 Christian Landström Senior IT Security Consultant Airbus Defence and Space CyberSecurity Topics - Overview on security infrastructure
More informationRESPONDING TO THE MOST COMMON WINDOWS NT/2000 ATTACKS
RESPONDING TO THE MOST COMMON WINDOWS NT/2000 ATTACKS Responding to the Most Common Windows NT/2000 Attacks: With the increase in the number of attacks against Windows-based Web servers, it is becoming
More informationCollection of state information in live digital forensics
Collection of state information in live digital forensics Fábio Freitas 1 and António Pinto 2 1 GCC, CIICESI, ESTG, Politécnico do Porto, Portugal 8080176@estgf.ipp.pt 2 GCC, CIICESI, ESTG, Politécnico
More informationHunting Lateral Movement with Windows Events Logs. SANS Threat Hunting Summit 2018 Mauricio
Hunting Lateral Movement with Windows Events Logs SANS Threat Hunting Summit 2018 Mauricio Velazco @mvelazco $whoami Peruvian Recovering pentester, threat management lead @mvelazco Derbycon, Bsides, Defcon
More informationIncident Response Tools
Incident Response Tools James Madison University Dept. of Computer Science June 13, 2013 1 Introduction Being successfully attacked is inevitable. A determined hacker WILL be able to penetrate your network.
More informationRed Leaves implant - overview
Ahmed Zaki David Cannings March 2017 Contents 1 Handling information 3 2 Introduction 3 3 Overview 3 3.1 Summary of files analysed.......................................... 3 3.2 Execution flow................................................
More informationStripping the Malware Threat Out of PowerShell with ensilo. Whitepaper. March
Stripping the Malware Threat Out of PowerShell with ensilo Whitepaper March 2017 www.ensilo.com 2 Table of Contents Introduction In the Beginning - There Was the CMD Prompt When PowerShell Attacks Pulling
More informationA+ Guide to Managing & Maintaining Your PC, 8th Edition. Chapter 17 Windows Resources on a Network
Chapter 17 Windows Resources on a Network Objectives Learn how to support some client/server applications Learn how to share and secure files and folders on the network Learn how to troubleshoot network
More informationIndicators of Compromise
Indicators of Compromise Effectively apply threat information Factsheet FS-2016-02 version 1.0 1 June 2017 If you are responsible for securing the network of your organisation, you will often hear the
More informationCyberArk Privileged Threat Analytics
CyberArk Privileged Threat Analytics Table of Contents The New Security Battleground: Inside Your Network 3 Privileged account security 3 Collect the right data 4 Detect critical threats 5 Alert on critical
More informationPaloalto Networks PCNSA EXAM
Page No 1 m/ Paloalto Networks PCNSA EXAM Palo Alto Networks Certified Network Security Administrator Product: Full File For More Information: /PCNSA-dumps 2 Product Questions: 50 Version: 8.0 Question:
More informationAnalyzing Huge Data for Suspicious Traffic. Christian Landström, Airbus DS
Analyzing Huge Data for Suspicious Traffic Christian Landström, Airbus DS Topics - Overview on security infrastructure - Strategies for network defense - A look at malicious traffic incl. Demos - How Wireshark
More informationSeceon s Open Threat Management software
Seceon s Open Threat Management software Seceon s Open Threat Management software (OTM), is a cyber-security advanced threat management platform that visualizes, detects, and eliminates threats in real
More informationApp-ID. PALO ALTO NETWORKS: App-ID Technology Brief
App-ID Application Protocol Detection / Decryption Application Protocol Decoding Application Signature Heuristics App-ID is a patent-pending traffic classification technology that identifies more than
More informationTestBraindump. Latest test braindump, braindump actual test
TestBraindump http://www.testbraindump.com Latest test braindump, braindump actual test Exam : CS0-001 Title : CompTIA Cybersecurity Analyst (CySA+) Exam Vendor : CompTIA Version : DEMO Get Latest & Valid
More informationStandard Categories for Incident Response (definitions) V2.1. Standard Categories for Incident Response Teams. Definitions V2.1.
Standard Categories for Incident Response Teams Definitions V2.1 February 2018 Standard Categories for Incident Response (definitions) V2.1 1 Introduction This document outlines categories that Incident
More informationCompare Security Analytics Solutions
Compare Security Analytics Solutions Learn how Cisco Stealthwatch compares with other security analytics products. This solution scales easily, giving you visibility across the entire network. Stealthwatch
More informationPrivileged Account Security: A Balanced Approach to Securing Unix Environments
Privileged Account Security: A Balanced Approach to Securing Unix Environments Table of Contents Introduction 3 Every User is a Privileged User 3 Privileged Account Security: A Balanced Approach 3 Privileged
More informationStrategic Infrastructure Security
Strategic Infrastructure Security Course Number: SCPSIS Length: Certification Exam There are no exams currently associated with this course. Course Overview This course picks up right where Tactical Perimeter
More informationnet use \\<IP>\<PaylasimDizini> /user:<etkialaniadi>\<kullaniciadi> <Parola> psexec \\<IP> -u <EtkiAlaniAdi>\<KullaniciAdi> -p <Parola> cmd.
Windows Komutlari: net use \\\ /user:\ psexec \\ -u \ -p cmd.exe wmic service get name, displayname, started
More informationIncident Response Toolkit :
Incident Response Toolkit : Initial Incident Response Handling Sunday, August 24, 2003 Balwant Rathore, CISSP Founder, Open Information System Security Group 1 Index Keep the Toolkit CD Handy Sample Toolkit
More information